Trends in SOX 404 reporting on ICFR

You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.

You probably recall that, under SOX 404(b), all public reporting companies, other than non-accelerated filers and EGCs, are required to obtain an auditor attestation regarding the effectiveness of their internal control over financial reporting. SOX 404(a) requires all public reporting companies, including non-accelerated filers, to provide an assessment of ICFR by management. An analysis by Audit Analytics of SOX 404 reporting on ICFR over 14 years showed that the number of adverse auditor attestations—auditor attestations indicating ineffective ICFR— followed different trend lines than management-only assessments.

Starting in 2004, there were 454 adverse auditor attestations (or 15.9% of the total population of attestations). That number increased in 2005 to a high of 492 (although declining as a percentage to 12.6%), but then tiptoed down to a low of 141 (3.5%) in 2010. Arguably, following SOX, the introduction of auditor attestations imposed some discipline on the process, which led initially to the identification of more ICFR issues, but declined thereafter as companies began to get a better handle on the process. After that, the number steadily rose again to hit 246 (6.7%) in 2016, which the analysis attributes to more aggressive oversight from the PCAOB. In 2017, the number of adverse attestations declined to 176 (4.9%), a 28% decrease and the first decline since 2010.

What were the key issues in ICFR identified by auditors in 2017? The most common issue (65%) was a material or numerous year-end adjustments by auditors, reported in 115 adverse auditor attestations. The most common adjustment related to revenue recognition and, with the new revenue recognition standard finally now in effect, it would not be surprising to see that number increase this year. The next most common issues were lack of competence or training of accounting personnel (98), inadequate disclosure controls (49), segregation of duties/design of controls (49) and IT, software, security and access issues (48).

Management-only assessments (performed by smaller companies) seem to have followed a different path. The first year non-accelerated filers were required to make assessments was 2007. In that year, there were 1,089 adverse assessments, representing 30% of small companies. The number rose to a high of 1,727 (34.9%) in 2010—curiously, a year when adverse auditor attestations were at their low point. Unlike auditor attestations, the numbers were almost identical for the period from 2011 to 2013 at around 1,616; however, the percentages varied from 35.6% to 39.5%. Although the number dipped in 2014 to 1,556, the percentage of smaller companies with management reports showing ineffective ICFR reached a high in that year of 40.8%, then dipped every year after. In 2017, the number fell to 1,191 (38.1%). The most startling aspect of the analysis here is that, every year, at least one-third of non-accelerated filers disclosed ineffective ICFR, reaching a high of almost 41% in 2014.

For management–only assessments, the most common issues leading to ineffective ICFR in 2017 were staffing-related: lack of competence or training of accounting personnel was identified in 943 assessments, followed by segregation of duties/design of controls (personnel) at 874. Less frequently cited were ineffective, non-existent or understaffed audit committees (341), inadequate disclosure controls (254) and year-end auditor adjustments (218), the last being the issue that topped the list for auditors.

But what happens to this data if, as anticipated, the SEC amends the rules to raise the threshold for the auditor attestation requirement from the current $75 million in public float to $250 million in public float? Since the proposal to expand the definition of “smaller reporting company” was issued in 2016, there has also been a significant push to modify the SOX 404(b) requirement. In particular, the application of SOX 404(b) to smaller companies has been subject to a torrent of criticism, including in the final report in 2017 of the SEC’s Advisory Committee on Small and Emerging Companies. (See this PubCo post.) Why the anguish over SOX 404(b)? That provision has been characterized as a significant contributor to the type of regulatory overload that some argue has deterred companies from conducting IPOs. Although no change to the SOX 404(b) threshold was adopted in connection with the change to the SRC definition, the SEC took note of the concern and, just this year, SEC Chair Jay Clayton directed the staff to come up with potential amendments to reduce the number of companies subject to SOX 404(b), while, of course, maintaining appropriate investor protections. (See this PubCo post.)

As reported here, a study conducted by Audit Analytics for MarketWatch found that, if the SEC did raise the threshold as suggested, about 20% of the affected companies “will be hiding negative opinions.” According to MarketWatch, the data shows that in “2016, there were 35 adverse opinions at companies between $75 million and $250 million in market capitalization, or 14.2% of a total of 256 auditor ICFR opinions. In 2017, 52 adverse opinions on ICFR were issued by auditors for companies between $75 and $250 million in market capitalization, or 27.2% of the 191 total adverse opinions on all public companies. That means over two years, 87 out of 447 opinions, or 19.4%, of all companies in that market-cap range had negative opinions.”

It appears that Chair Clayton might well disagree with the characterization that, in the event of a relaxation of the rule, negative opinions would be “hidden.” In a speech before the 36|86 Entrepreneurship Festival in Nashville, Tennessee, Clayton focused on a point that he viewed as “often misunderstood”: that even those companies that are not now required to obtain a SOX 404(b) auditor attestation must still “establish, maintain and assess the effectiveness of ICFR, and, even if not engaged to report on ICFR, independent auditors are still responsible for considering ICFR in the performance of their financial statement only audits. In considering ICFR, independent auditors can better plan their audits and provide management and audit committees with observations about the company’s ICFR. (See this PubCo post.)

This blog is provided for general informational purposes only and no attorney-client relationship with the law firm Cooley LLP and Cooley (UK) LLP is created with you when you use the blog. By using the blog, you agree that the information on this blog does not constitute legal or other professional advice. Do not send any confidential information through the blog or by email to Cooley LLP and Cooley (UK) LLP, neither of whom will have any duty to keep it confidential. The blog is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments. The opinions expressed on the blog are the opinions of the authors only and not those of Cooley LLP and Cooley (UK) LLP.